The hack took place between March and May 20 of this year, according to a copy of the letter posted on the website of California’s Attorney General.
Unauthorized third parties exploited a flaw in the company’s SMS account recovery process to gain access to the accounts, and transfer funds to crypto wallets not associated with Coinbase, the company said.
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a Coinbase spokesperson said on Friday.
The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails, the company said.
Coinbase said there was no evidence to suggest the information was obtained from the company.
News of the hack was earlier reported by technology news portal Bleeping Computer.